Re: [squid-users] proxy auth hosts and active directory

On Thu, 18 Nov 2004, Rolf wrote:

> Firstly, in the external_acl_type directive, -h hostname defines the Active
> Directory server to query. Can I specify for redundancy purposes more than
> one hostname?

Yes.

> Secondly, I am about to deploy a second squid box for redundancy purposes.
> How, if at all, is the proxy authentication kept in sync between the two?

It doesn't need to.

> If browser has a config that says try proxyA then ProxyB, so it contacts
> proxyA and does the auth, then proxyA disappears, does the browser have
> to re-authenticate with ProxyB at next http request or can the auth data
> be made available on proxyB?

This depends on how you load balance between the proxies. For
authentication to work the browser must have a single DNS name for all the
proxies and any load balancing taking place outside of the browser (either
DNS round-robin, or a layer 4 load balancer infront of the proxies).

If you use proxy.pac scripts with different proxy host names then
the user will be asked to authenticate again when switched to another
proxy.

> Lastly, (not strictly a squid question) so far we have around 25 users using
> proxy auth - largely as a testing set - eventual production will deal with
> about 1500 users. Of those 25, one Active Directory user does not work.
> Clearly this is an issue within AD for that userid. Has anyone seen or know
> of any particular quirks in AD userids that stop it working?

The only quirk I know of is if the user is using national characters
outside of US-ASCII in his login or password. This never works reliably
due to HTTP protocol being restricted to US-ASCII.

> The credentials, user/pass, are accepted (ie they are not prompted for again
> as in the case of being incorrect) but won't accept that the user has access
> by dint of being in the relevant group, even though they certainly are

Then it is time to look into what your AD says via LDAP about this users
group membership.

The ldap group helper can easily be tested from the command line, and if
using the -d flag then it is relatively verbose about what kind of LDAP
questions it makes. The helper expects username SPACE groupname NEWLINE as
input, and responds with OK/ERR.

Regards
Henrik
Received on Thu Dec 09 2004 - 09:53:23 MST